To interact with ANZ Fileactive APIs, authentication is handled using OAuth 2.0 with the Client Credential Grant flow. This ensures secure access to the API resources by obtaining a bearer token, which is then used for authorizing API requests.
Key points:
- Endpoint: All authentication requests should be sent to the
/v1.0/auth
endpoint. - Grant Type: Use
client_credentials
as the grant type for obtaining tokens. - Token URL: The token URL is
https://api.fileactive.anzgcis.com/v1.0/auth
. - Scopes: Specific scopes define the permissions, such as:
AU.INSTO.PAYMENT.NPP.CREATE
- For creating NPP Payment resources.AU.INSTO.PAYMENT.NPP.READ
- For retrieving NPP Payment resources.AU.INSTO.PAYMENT.CBFT.CREATE
- For creating CBFT Payment resources.AU.INSTO.PAYMENT.READ
- For retrieving payment resources (except AU NPP).
- Headers: Include an API key in the header using
apikey
as the parameter name.
Example Request:
To request a token, send a POST
request with the required parameters in application/x-www-form-urlencoded
format. The request must also include your API key in the header for authentication.
curl --request POST \
--url "https://api.fileactive.uat.anzgcis.com/auth" \
--header "Content-Type: application/x-www-form-urlencoded" \
--header "apikey: 111abc23233223" \
--data "grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&scope=AU.INSTO.PAYMENT.NPP.CREATE&client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJHUkFQRSIsImV4cCI6IjE3Mjg3NzQ5NzMiLCJhdWQiOiJodHRwczovL2FwaS5maWxlYWN0aXZlLnVhdC5hbnpnY2lzLmNvbS9hdXRoIn0.bKkKtGbdbJTKhi6ViSqfXJXqZf_NISgNGc0rSs32YK-FJF6ZeOy63BUoZXcsdaPKA0K3CE5Smi-jmHf7tW109lsDaoYO8hU3pDqNjyx8oZO157nLUBt68OMzbZOKDGBg6T9p8qLPllfGvVX3m5XqkGN5I2kaLPnofWONYRiR6Y_qWHB6IbzXSLhpxvWcRJ0Fb5HoEJi3xAO7eG78xnevVSEv5aIe57q2ba6btyciaU-dnfceMJOzsjjAyr4k10B-S3M9ckhYfeIRqwR4ZzHukiwVH9s5sl9MC3kKBGzjtIvTTw3HZH0MT5wS1fFwb4UAbpppphDMQzWJ-7fww3A5Iw"
Example Response:
On success, you’ll receive a bearer token in the response, which is used for authorisation in subsequent API calls.
{
"expires_in": 3600,
"token_type": "Bearer",
"access_token": "eaaa13ee-b596-a8cc-b9d4-f778f8bb9377"
}
Usage Notes:
- authorisation Header: Include the
access_token
in theauthorisation
header asBearer <access_token>
. - Token Refresh: Tokens expire according to the
expires_in
value. Ensure you handle token renewal to maintain API access.
Important Note:
The client_assertion field in your request must be a JWT (JSON Web Token) that is signed with your private key. This ensures the integrity and authenticity of the request. The private key should correspond to the public key that ANZ has on file.
If the client assertion is not properly signed, the authentication request will fail.